https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515697#M2871 <P>So, nevertheless the install_date as string is hard to filter by date.<BR />To resolve this, parse_timestamp might be a solution, but i dont get how it works...</P> <P>The install_date string is&nbsp;<SPAN>"2022-08-11" which i'd like to convert to something filterable like "Aug&nbsp;11th 2022".</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Sep 2022 14:21:39 GMT RonaldWeiss 2022-09-22T14:21:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515654#M2866 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>my goal is to see which host has not actual windows kbs installed. I would need the last KB installed information per host.&nbsp;</P> <P>&nbsp;</P> <P>Now I need to limit it per host, and not through the whole query result. Do you have an Idea how to get this running? Maybe you have another ideas how we can check fast which host is not Windows up to date with Cortex XDR Pro?</P> <P>I also thought about to filter it for hosts which have not installed anything from the actual month. Maybe it is a better and faster way?&nbsp;</P> <P>&nbsp;</P> <P>config case_sensitive = false<BR />| dataset = host_inventory</P> <P><BR />| arrayexpand kbs<BR />| alter kbnr = json_extract(kbs , "$.name"), install_date = json_extract(kbs , "$.installation_date")<BR />| fields host_name, kbs, install_date<BR />| limit 1 // Limiting the results to only the top 1<BR />|sort desc install_date</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Wed, 21 Sep 2022 22:01:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515654#M2866 RFeyertag 2022-09-21T22:01:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515674#M2869 <P>HI&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;,</P> <P>&nbsp;</P> <P>Instead of running an XQL query, you can also consider running scripts on the endpoints with XDR Pro Capabilities enabled.&nbsp;<BR />Simply, go to script execution, select execute commands and run the following command</P> <LI-CODE lang="markup">wmic qfe GET HotFixID, InstalledOn</LI-CODE> <P>Select your target endpoints and run the script on the same. You should be able to get the latest KBs on all endpoints with their install dates. You can pull the CSV or report widget for the same and tally your data with the latest KB dates and build number.</P> <P><BR /><BR />If you still need to consider the query mechanism, you can filter it by hostname.</P> Thu, 22 Sep 2022 05:13:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515674#M2869 neelrohit 2022-09-22T05:13:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515696#M2870 <P>Perhaps this might be what you want:</P> <P>&nbsp;</P> <P>config case_sensitive = false<BR />| dataset = host_inventory</P> <P><BR />| arrayexpand kbs<BR />| alter kbnr = json_extract(kbs , "$.name"), install_date = json_extract(kbs , "$.installation_date")<BR />| fields host_name, kbnr , install_date <BR />|dedup host_name by desc install_date <BR />| sort asc install_date</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>and after that, perhaps a "|limit 50"</P> Thu, 22 Sep 2022 14:26:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515696#M2870 RonaldWeiss 2022-09-22T14:26:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515697#M2871 <P>So, nevertheless the install_date as string is hard to filter by date.<BR />To resolve this, parse_timestamp might be a solution, but i dont get how it works...</P> <P>The install_date string is&nbsp;<SPAN>"2022-08-11" which i'd like to convert to something filterable like "Aug&nbsp;11th 2022".</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Sep 2022 14:21:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515697#M2871 RonaldWeiss 2022-09-22T14:21:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515783#M2888 <P>You can sort out the parse_timestamp with this line:&nbsp;&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">alter install_date_mod = parse_timestamp("\"%Y-%m-%d\"", install_date</LI-CODE> <P>&nbsp;</P> <P>Note the use of regex to escape the double-quotes that comes as part of the default install_date string.&nbsp;</P> <P>&nbsp;</P> <P>So the whole query would look like</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = host_inventory | arrayexpand kbs | alter kbnr = json_extract(kbs , "$.name"), install_date = json_extract(kbs , "$.installation_date") | fields host_name, kbnr , install_date | alter install_date = parse_timestamp("\"%Y-%m-%d\"", install_date) | dedup host_name by desc install_date | sort asc install_date</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 23 Sep 2022 06:22:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515783#M2888 bbarmanroy 2022-09-23T06:22:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515884#M2891 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/142551">@neelrohit</a>,&nbsp;</P> <P>&nbsp;</P> <P>I will note this query for other use cases, but for my use case it isn't the best solution, because this is an live query.</P> <P>The agents are sometimes 2 or 3 weeks offline. So it would need much time to run after them.&nbsp;</P> <P>And with the xql query I have 98% coverage of all of our agents.&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Sat, 24 Sep 2022 20:23:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515884#M2891 RFeyertag 2022-09-24T20:23:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515885#M2892 <P>Thank you very much!&nbsp;</P> <P>My final query, which was integrated into a widget and dashboard:</P> <P>&nbsp;</P> <P>config timeframe between "-1y" and "+5d" <BR />|dataset = host_inventory<BR />| arrayexpand kbs<BR />| alter kbnr = json_extract(kbs , "$.name"), install_date = json_extract(kbs , "$.installation_date")<BR />| fields host_name, kbnr , install_date, agent_domain <BR />| alter install_date = parse_timestamp("\"%Y-%m-%d\"", install_date)<BR />| dedup host_name, agent_domain by desc install_date<BR />| sort asc install_date</P> <P>&nbsp;</P> <P>Some issues with the content can be found in this conversation:</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-inventory-installed-kbs-no-entry/td-p/515883" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/host-inventory-installed-kbs-no-entry/td-p/515883</A></P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 24 Sep 2022 20:26:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-for-highest-available-install-date-of-kbs-checking-hosts-for/m-p/515885#M2892 RFeyertag 2022-09-24T20:26:35Z